Your message dated Wed, 3 Dec 2014 22:05:18 +0100 with message-id <20141203210518.GB1597@crossbow> and subject line Re: Bug#771896: apt-transport-https must depend on ca-certificates has caused the Debian Bug report #771896, regarding apt-transport-https must depend on ca-certificates to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 771896: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771896 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt-transport-https must depend on ca-certificates
- From: Pirate Praveen <praveen@debian.org>
- Date: Wed, 03 Dec 2014 15:41:29 +0530
- Message-id: <[🔎] 547EE1D1.5010506@debian.org>
package: apt-transport-https version: 1.0.9.3 severity: grave justification: installing apt-transport-https should be enough to access https repos One a fresh chroot, apt-get update failed on a https repo even when apt-transport-https was installed. It was working after ca-certificates package was installed. root@savannah:/# echo deb https://people.debian.org/~praveen/diaspora-unreleased unstable main >>/etc/apt/sources.list root@savannah:/# apt-get update Ign https://people.debian.org unstable InRelease Ign https://people.debian.org unstable Release.gpg Ign https://people.debian.org unstable Release Get:1 http://ftp.de.debian.org jessie InRelease [191 kB] Err https://people.debian.org unstable/main amd64 Packages Ign https://people.debian.org unstable/main Translation-en Get:2 http://ftp.de.debian.org jessie/main amd64 Packages/DiffIndex [7876 B] Get:3 http://ftp.de.debian.org jessie/main Translation-en/DiffIndex [7876 B] Get:4 http://ftp.de.debian.org jessie/main amd64 2014-12-03-0244.11.pdiff [14.4 kB] Get:5 http://ftp.de.debian.org jessie/main amd64 2014-12-03-0244.11.pdiff [14.4 kB] Fetched 221 kB in 20s (10.6 kB/s) W: Failed to fetch https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages E: Some index files failed to download. They have been ignored, or old ones used instead. root@savannah:/# apt-get update Ign https://people.debian.org unstable InRelease Hit http://ftp.de.debian.org jessie InRelease Ign https://people.debian.org unstable Release.gpg Get:1 http://ftp.de.debian.org jessie/main amd64 Packages/DiffIndex [7876 B] Ign https://people.debian.org unstable Release Get:2 http://ftp.de.debian.org jessie/main Translation-en/DiffIndex [7876 B] Err https://people.debian.org unstable/main amd64 Packages Ign https://people.debian.org unstable/main Translation-en Fetched 15.8 kB in 6s (2588 B/s) W: Failed to fetch https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages E: Some index files failed to download. They have been ignored, or old ones used instead. root@savannah:/# At the minimum error message should say the signature could not be verified like wget wget http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages converted 'http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages' (ANSI_X3.4-1968) -> 'http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages' (UTF-8) --2014-12-03 09:52:26-- http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages Resolving people.debian.org (people.debian.org)... 5.153.231.30, 2001:41c8:1000:21::21:30 Connecting to people.debian.org (people.debian.org)|5.153.231.30|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages [following] converted 'https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages' (ANSI_X3.4-1968) -> 'https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages' (UTF-8) --2014-12-03 09:52:27-- https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages Connecting to people.debian.org (people.debian.org)|5.153.231.30|:443... connected. ERROR: The certificate of 'people.debian.org' is not trusted. ERROR: The certificate of 'people.debian.org' hasn't got a known issuer.Attachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Pirate Praveen <praveen@debian.org>, 771896-done@bugs.debian.org
- Subject: Re: Bug#771896: apt-transport-https must depend on ca-certificates
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Wed, 3 Dec 2014 22:05:18 +0100
- Message-id: <20141203210518.GB1597@crossbow>
- In-reply-to: <[🔎] 547EE1D1.5010506@debian.org>
- References: <[🔎] 547EE1D1.5010506@debian.org>
Hi, On Wed, Dec 03, 2014 at 03:41:29PM +0530, Pirate Praveen wrote: > package: apt-transport-https > version: 1.0.9.3 > severity: grave > justification: installing apt-transport-https should be enough to access > https repos > > One a fresh chroot, apt-get update failed on a https repo even when > apt-transport-https was installed. It was working after ca-certificates > package was installed. You are assuming that each and everyone is using -https with a certificate anchored by the big CA guys contained in the ca-certificate package. That isn't required though. There is no problem in using a self-signed certificate or to pin to a specific CA for example. In other words: It is at most a Recommends and not Depends. And while it might not hurt[0] to add it to -https, we depend on libcurl3-gnutls, which itself recommends ca-certificates, so you already get it if you haven't choosen to be unusual (= disabled recommends). In other words: No need to fix that for jessie - as the release team has already ruled with the severity downgrade. [0] Now, one last bit: fix the bug after jessie or not? Well, -https doesn't use ca-certificates directly. It uses curl which uses it, but we don't explicitly request it: It is just their default and I would argue that it is more their task to "work out of the box" than it is ours to make that happen – and they do, so if we do it as well we achieve nothing, but risk that this becomes obsolete (or worse) if they change their default to something else. So, all things combined: Closing as not a bug. Best regards David KalnischkiesAttachment: signature.asc
Description: Digital signature
--- End Message ---